WO2020238414A1 - Method and device for protection from deserialization vulnerability - Google Patents

Method and device for protection from deserialization vulnerability Download PDF

Info

Publication number
WO2020238414A1
WO2020238414A1 PCT/CN2020/083363 CN2020083363W WO2020238414A1 WO 2020238414 A1 WO2020238414 A1 WO 2020238414A1 CN 2020083363 W CN2020083363 W CN 2020083363W WO 2020238414 A1 WO2020238414 A1 WO 2020238414A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
client
weblogic
weblogic server
class
Prior art date
Application number
PCT/CN2020/083363
Other languages
French (fr)
Chinese (zh)
Inventor
郑祎
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2020238414A1 publication Critical patent/WO2020238414A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms

Definitions

  • the present invention relates to the technical field of financial technology (Fintech), in particular to a method and device for protecting deserialization loopholes.
  • WebLogic is a middleware based on the Java EE architecture, which can be used as a Java application server for the development, integration, deployment and management of large-scale distributed Web applications, network applications and database applications. It is widely used in government, finance, medical, transportation, education, scientific research and other industries and fields.
  • WebLogic has a Java deserialization vulnerability.
  • the vulnerability When an attacker sends carefully constructed deserialized data to WebLogic, the vulnerability will be triggered and the attacker's specified operation will be executed, which can control the server and steal data from the database, causing serious impact.
  • the embodiments of the present invention provide a deserialization vulnerability protection method and device, which at least solve the problems existing in the prior art.
  • an embodiment of the present invention provides a method for protecting deserialization vulnerabilities, which is applied to a WebLogic server, including:
  • the WebLogic server receives a data request sent by at least one client, and determines whether the data request includes T3/T3S protocol data;
  • the WebLogic server determines that the data request includes T3/T3S protocol data, determine whether the client's IP address is a trusted IP address according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist;
  • the WebLogic server determines that the Internet Protocol IP address of the client is a trusted IP address, it processes the T3/T3S protocol data so that the request is processed by the normal process.
  • the WebLogic server determines whether the client's IP address is a trusted IP address according to the client's Internet Protocol IP address and a pre-configured IP address whitelist, including:
  • the WebLogic server executes the MuxableSocketT3 class, acquiring startup parameters of the WebLogic server, where the startup parameters include the IP address whitelist;
  • the WebLogic server determines that the client's IP matches the IP address whitelist, it determines that the client's IP address is a trusted IP address.
  • the method further includes:
  • the WebLogic server determines that the client's IP does not match the IP address whitelist, it refuses to connect with the client, and records the data request as an attack event.
  • the WebLogic server receiving a data request sent by at least one client includes:
  • the WebLogic server receives the data request sent by the Internet client through the proxy server and the WebLogic server receives the data request sent by the client of the same local area network.
  • the method before the WebLogic server receives a data request sent by at least one client, the method further includes:
  • the WebLogic server determines the location of the MuxableSocketT3 class; the WebLogic server adds the steps of a deserialization vulnerability protection method in the MuxableSocketT3 class.
  • the WebLogic server determining the location of the MuxableSocketT3 class includes:
  • the WebLogic server determines the location of the MuxableSocketT3 class according to whether the MuxableSocketT3 class exists alone.
  • an embodiment of the present invention provides a device for protecting deserialization vulnerabilities, including:
  • the T3/T3S protocol data determining unit is configured to receive a data request sent by at least one client, and determine whether the data request includes T3/T3S protocol data;
  • a judging unit configured to determine whether the client's IP address is a trusted IP address according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist if it is determined that the data request includes T3/T3S protocol data ;
  • the T3/T3S protocol data processing unit is configured to process the T3/T3S protocol data if it is determined that the Internet Protocol IP address of the client is a trusted IP address, so that the request is processed by a normal process.
  • the judgment unit is specifically configured to:
  • the startup parameters of the WebLogic server are acquired, and the startup parameters include the IP address whitelist;
  • IP address of the client is a trusted IP address.
  • the T3/T3S protocol data processing unit is further used for:
  • the connection with the client is rejected, and the data request is recorded as an attack event.
  • the T3/T3S protocol data determining unit is specifically configured to:
  • the proxy server receives data requests sent by Internet clients and data requests sent by clients on the same local area network.
  • the device further includes a configuration unit configured to: determine
  • the configuration unit is specifically used for:
  • the location of the MuxableSocketT3 class is determined according to whether the MuxableSocketT3 class exists alone.
  • an embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor implements protection against deserialization vulnerabilities when the program is executed. Method steps.
  • an embodiment of the present invention provides a computer-readable storage medium that stores a computer program executable by a computer device.
  • the program runs on the computer device, the computer device executes the deserialization vulnerability. Steps of protection methods.
  • an embodiment of the present invention provides a computer program product, including a calculation program stored on a computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer The device executes the steps of the deserialization vulnerability protection method.
  • the WebLogic server After the WebLogic server receives the data request sent by the client, if it is determined that the data request includes T3/T3S protocol data, it may be attacked by Java deserialization vulnerability, so continue to determine whether the client's IP address is based on the IP address whitelist
  • the trusted IP address if it is, will process the T3/T3S protocol data, that is, by setting a whitelist in the WebLogic server, it can effectively block the T3/T3S protocol data sent by untrusted clients, and prevent it as much as possible
  • the attack of deserialization vulnerability improves the security of WebLogic server. And setting a whitelist in the WebLogic server can effectively prevent the attack of deserialization vulnerabilities, and it can also protect against deserialization vulnerabilities caused by newly emerging classes.
  • FIG. 1 is a schematic diagram of a scenario where a proxy server is deployed on another server independent of the WebLogic server according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a scenario where a proxy application and WebLogic are deployed on the same server according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for protecting deserialization vulnerabilities according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a WebLogic processing flow provided by an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a MuxableSocketT3 positioning method provided by an embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of a MuxableSocketT3 positioning method provided by an embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a method for protecting deserialization vulnerabilities according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a protection device for deserialization vulnerabilities provided by an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.
  • WebLogic is an application server produced by Oracle Corporation of the United States. To be precise, it is a middleware based on JAVAEE (Java Platform Enterprise Edition) architecture. WebLogic is used to develop, integrate, deploy and manage large-scale distributed Web applications and network applications. And the Java application server for database applications. The dynamic functions of Java and the security of Java Enterprise standards are introduced into the development, integration, deployment and management of large-scale network applications.
  • JAVAEE Java Platform Enterprise Edition
  • Serialization and deserialization the process of serialization is to turn an object into data that can be transmitted, and the process of deserialization is the process of turning serialized data back into an object.
  • T3 is an optimized protocol used to transfer data between WebLogic Server and other Java programs (including clients and other WebLogic Servers). WebLogic Server will track each Java Virtual Machine (JVM) connected to it, and create a single T3 connection to carry all the traffic of each JVM.
  • JVM Java Virtual Machine
  • T3S is the WebLogic T3 protocol on SSL (Secure Sockets Layer).
  • the inventor of the present invention found that the default service port in WebLogic is 7001, which provides a connection to HTTP (Hypertext Transfer Protocol)/HTTPS (Hypertext Transfer Protocol Secure, Hypertext Security). Transmission protocol), SNMP (Simple Network Management Protocol, Simple Network Management Protocol), T3/T3S and other protocol services. Because different protocols of WebLogic use one port, it is impossible to prevent Java deserialization vulnerabilities by restricting port access through firewalls.
  • financial institutions in the financial industry such as banking institutions, insurance institutions and securities institutions, etc.
  • Traditional deserialization methods seriously fail to meet the requirements of banking institutions and other financial institutions. Therefore, a concept was first proposed to add a proxy server between the customer and the WebLogic server of a financial institution such as a bank, so that the request data of Java deserialization vulnerability is filtered by the proxy server and will not be sent to the WebLogic server.
  • the protection idea is to make the data sent by the user only meet the HTTP/HTTPS protocol can be forwarded to the WebLogic server through the proxy server, because the Java deserialized data protocol is T3/T3S, does not meet the HTTP/HTTPS protocol, so It will be filtered by the proxy server, and the WebLogic server cannot receive Java deserialized data, so it can protect against vulnerabilities.
  • Deployment plan 1 The proxy server is deployed on other servers independent of the WebLogic server. As shown in Figure 1, when the proxy server is deployed on other servers independent of the WebLogic server, the listening IP address needs to be set to "0.0.” in the WebLogic management console. 0.0", so that the proxy server can access the services provided by WebLogic.
  • the port provided by WebLogic can remain unchanged and continue to monitor the original port.
  • WebLogic's original listening port is 7001, so continue to use this port.
  • the disadvantage of this deployment is that, as shown in Figure 1, if an attacker controls other servers (including proxy servers) in the LAN through other vulnerabilities or security issues, the controlled machine can send Java anti-sequence from the LAN to the WebLogic server. Exploiting the vulnerability exploit data package to exploit the vulnerability. In other words, it can only protect against deserialization vulnerability attacks initiated via the Internet, and cannot protect against vulnerability attacks initiated by other servers in the LAN.
  • Deployment plan 2 Deploy the proxy application and WebLogic on the same server, as shown in Figure 2.
  • the proxy application can be deployed on the same server as WebLogic, and the listening IP address of WebLogic can be set to "127.0.0.1”; or the listening IP address can be set to "0.0.0.0", and the IP that is allowed to access the WebLogic service port is checked through the firewall limit.
  • the above settings it is possible to restrict that only this machine can access the services provided by WebLogic, and other machines cannot. For example, using the iptables command of the Linux operating system and setting only the "127.0.0.1" IP address/loopback network interface to access the WebLogic service port, the above restrictions can be completed.
  • the port provided by WebLogic needs to be modified to another port, and the proxy server monitors the port originally provided by WebLogic.
  • the original monitoring port of WebLogic is 7001, but port 8001 is used instead, and the proxy application monitors port 7001.
  • the disadvantage of this deployment method is that it needs to modify the service port provided by WebLogic and adjust the network strategy, which may affect normal business functions; the need to add proxy applications to the WebLogic server will increase the server's performance overhead and may affect normal business functions;
  • the service port of WebLogic can only be accessed on the local machine.
  • T3/T3S service provided by WebLogic cannot be accessed on other servers in the local area network, WebLogic can only be managed on the local machine of the WebLogic server, and remote commands cannot be performed on the WebLogic service. Management reduces the availability of WebLogic and has an impact on operation and maintenance; after adjusting according to the above deployment plan, in order to verify whether the normal business functions are affected, a larger scope of testing is required, which will bring a larger test workload.
  • Step S301 The WebLogic server receives a data request sent by at least one client, and determines whether the data request includes T3/T3S protocol data.
  • the WebLogic server receives a data request sent by at least one client, and a WebLogic server connects with at least one client, and receives the data request sent by the client.
  • the data request received by the WebLogic server includes T3/T3S protocol data, that is, the data request may cause an attack of deserialization vulnerability.
  • T3/T3S protocol data when it is necessary to execute WebLogic's stop or start script on the WebLogic server, the client will send T3/T3S protocol data to the WebLogic server; when it is necessary to use WLST (WebLogic Scripting Tool, WebLogic scripting tool) to command WebLogic During configuration and management, the client will send T3/T3S protocol data to the WebLogic server; when it is necessary to write a program that uses the T3/T3S protocol to communicate to monitor and manage WebLogic, the client will send T3/T3S to the WebLogic server Protocol data.
  • WLST WebLogic Scripting Tool, WebLogic scripting tool
  • Step S302 If the WebLogic server determines that the data request includes T3/T3S protocol data, it determines whether the client's IP address is trusted according to the client's Internet Protocol IP address and a pre-configured IP address whitelist IP address.
  • the data request sent by the client received by the WebLogic server includes T3/T3S protocol data, which means that the data request may be deserialized exploit data, which may cause the WebLogic server to be attacked, so in order to improve the WebLogic server’s performance Security, through the pre-configured IP address whitelist and the IP address of the client sending the T3/T3S protocol data, it is determined whether the T3/T3S protocol data needs to be processed normally or the request is rejected.
  • a client that meets the IP address whitelist is a trusted client, and the T3/T3S protocol data sent by the client is trusted, and a client that does not meet the IP address whitelist is an untrusted client.
  • the T3/T3S protocol data sent by the client is also untrustworthy.
  • the IP address whitelist in the WebLogic server is preset.
  • the IP address whitelist is determined according to the security level of each client in the entire network.
  • it is added to the startup parameters of the Java program
  • the configuration file name is the IP address whitelist.
  • the WebLogic server wants to realize the judgment of the IP address whitelist, it also needs to determine the class of processing T3/T3S in the WebLogic server.
  • the abnormal information recorded in the WebLogic log when the historical WebLogic Java deserialization vulnerability is triggered can be used to determine the T3/T3S class in the WebLogic server.
  • the exception information contains the stack information when the vulnerability is triggered, and the processing flow of WebLogic can be understood according to the stack information. After analysis, it is found that when the vulnerability is triggered, WebLogic will process the T3/T3S protocol data according to fixed steps. After the thread-related classes and socket-related classes are processed, the Java deserialization process is finally performed.
  • modifying the MuxableSocketT3 class of the WebLogic server can increase the judging process of judging whether the IP address is in the whitelist.
  • MuxableSocketT3 Before optimizing the MuxableSocketT3 class, you need to locate the jar package path where MuxableSocketT3 is located. You can locate MuxableSocketT3 through the following methods.
  • the first method when the MuxableSocketT3 class exists alone, install any J2EE application in WebLogic, create a JSP file in the application directory where the JSP (Java Server Pages, JAVA server page) file can be parsed, and save the following content with The jar package location where the MuxableSocketT3 class is output, as shown in Figure 5, including:
  • Step S501 Obtain a class object of WebLogic.rjvm.t3.MuxableSocketT3;
  • Step S502 call the getResource("").getPath() method of the above object;
  • Step S503 Obtain the jar package path where the MuxableSocketT3 class returned by the above method is located;
  • Step S504 print the path of the jar package where the MuxableSocketT3 class is located.
  • the second method when the MuxableSocketT3 class exists in the jar package, install any J2EE application in WebLogic, create a JSP file in the application directory where the JSP file can be parsed, and save the following content to output the jar package where the MuxableSocketT3 class is located
  • the location as shown in Figure 6, includes:
  • Step S601 Obtain a class object of WebLogic.rjvm.t3.MuxableSocketT3;
  • Step S602 call getProtectionDomain().getCodeSource() of the above object.
  • Step S603 obtain the jar package path where the MuxableSocketT3 class returned by the above method is located;
  • Step S604 print the path of the jar package where the MuxableSocketT3 class is located.
  • the WebLogic server determines that the client's IP matches the IP address whitelist, it determines whether the client's IP address is a trusted IP address.
  • Step S303 If the WebLogic server determines that the Internet Protocol IP address of the client is a trusted IP address, it processes the T3/T3S protocol data so that the request is processed by the normal process.
  • the WebLogic server when the client is determined to be a trusted client, the T3/T3S protocol data is executed, for example, the WebLogic server locally executes WebLogic's stop script or startup script; or WebLogic executes command configuration and management operations; Or WebLogic performs functional operations such as monitoring and management.
  • the WebLogic server when the WebLogic server determines that the client's IP does not match the IP address whitelist, it refuses to connect with the client, and records the data request as an attack event, and the attack Event recording allows analysis of attack events.
  • a proxy server in order to avoid other potential security problems after the WebLogic server port is directly exposed on the Internet, a proxy server can also be deployed between the user and the WebLogic server.
  • the proxy server can be deployed on a separate server without increasing The performance overhead of the WebLogic server will not affect normal business; when performing verification, the scope of the test is small and the test workload is also small. It will not affect normal functions, and there is no hidden danger of Java deserialization vulnerabilities.
  • the WebLogic server receives data requests sent by Internet clients through the proxy server and the WebLogic server receives data requests sent by clients on the same local area network. It will not increase the performance overhead of the WebLogic server and will not affect the normal business; when verifying, the scope of the test is small and the test workload is also small. It will not affect normal functions, and there is no hidden danger of Java deserialization vulnerabilities.
  • Serialization vulnerabilities are protected to the greatest extent possible to protect WebLogic from Java deserialization vulnerabilities; and other trusted servers are allowed to access T3/T3S services provided by WebLogic, and WebLogic services can be remotely commanded from other trusted servers Management, does not affect the availability of WebLogic, and does not affect operation and maintenance; it can perceive and obtain threat intelligence information when an attacker tries to exploit WebLogic Java deserialization vulnerabilities; it does not need to modify the service port provided by WebLogic, or adjust the network
  • the strategy does not affect normal business functions; there is no need to add a proxy application to the WebLogic server, does not increase the performance overhead of the WebLogic server, and does not affect the normal business; according to the method in the embodiment of the present invention, a whitelist judgment is added to WebLogic Later, in order to verify whether it affects normal business functions, the scope of testing is small and the testing workload is also small.
  • This method is applied to the WebLogic server where the bank and other financial institutions are located.
  • the configuration file name is added to the startup parameters of the Java program, that is, the IP address whitelist is added, which is used to dynamically configure the trusted IP that allows WebLogic to receive the T3/T3S protocol, that is, after modifying the trusted IP, there is no need to restart the WebLogic server To take effect.
  • the trusted IP is read from the specified configuration file to determine whether the current request IP is a trusted IP. If it is a trusted IP, it will continue to process the T3/T3S protocol; if it is not a trusted IP, the connection will be rejected and the attack event details will be recorded in a specific log file.
  • the optimized dispatch method of the MuxableSocketT3 class is shown in Figure 7 and applied to the WebLogic server. The specific steps are:
  • Step S701 receiving T3/T3S protocol data
  • Step S702 obtaining a whitelist of IP addresses configured in the startup parameters of the Java program
  • Step S703 It is judged whether the IP address of the current client sending T3/T3S protocol data matches the IP address in the IP address whitelist, if yes, go to step S704; otherwise, go to step S705;
  • Step S704 execute T3/T3S protocol data
  • Step S705 Reject the connection with the client, and record the data request as an attack event.
  • the device 800 includes:
  • the T3/T3S protocol data determining unit 801 is configured to receive a data request sent by at least one client, and determine whether the data request includes T3/T3S protocol data;
  • the judging unit 802 is configured to, if it is determined that the data request includes T3/T3S protocol data, determine whether the IP address of the client is a trusted IP according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist address;
  • the T3/T3S protocol data processing unit 803 is configured to process the T3/T3S protocol data if it is determined that the Internet Protocol IP address of the client is a trusted IP address, so that the request is processed by the normal process.
  • determining unit 802 is specifically configured to:
  • the startup parameters of the WebLogic server are acquired, and the startup parameters include the IP address whitelist;
  • IP address of the client is a trusted IP address.
  • T3/T3S protocol data processing unit 803 is also used for:
  • the connection with the client is rejected, and the data request is recorded as an attack event.
  • T3/T3S protocol data determining unit 801 is specifically configured to:
  • the proxy server receives data requests sent by Internet clients and data requests sent by clients on the same local area network.
  • the device further includes a configuration unit 804:
  • configuration unit 804 is specifically configured to:
  • the location of the MuxableSocketT3 class is determined according to whether the MuxableSocketT3 class exists alone.
  • an embodiment of the present application provides a computer device. As shown in FIG. 9, it includes at least one processor 901 and a memory 902 connected to the at least one processor.
  • the embodiment of the present application does not limit the processor.
  • the specific connection medium between the 901 and the memory 902 is the connection between the processor 901 and the memory 902 through a bus in FIG. 9 as an example.
  • the bus can be divided into address bus, data bus, control bus, etc.
  • the memory 902 stores instructions that can be executed by at least one processor 901. By executing the instructions stored in the memory 902, the at least one processor 901 can execute the aforementioned deserialization vulnerability protection method. step.
  • the processor 901 is the control center of the computer equipment, which can use various interfaces and lines to connect to various parts of the terminal equipment, and obtain customers by running or executing instructions stored in the memory 902 and calling data stored in the memory 902. End address.
  • the processor 901 may include one or more processing units, and the processor 901 may integrate an application processor and a modem processor.
  • the application processor mainly processes the operating system, user interface, and application programs.
  • the adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 901.
  • the processor 901 and the memory 902 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
  • the processor 901 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present application.
  • the general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the memory 902 as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules.
  • the memory 902 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc.
  • the memory 902 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 902 in the embodiment of the present application may also be a circuit or any other device capable of realizing a storage function for storing program instructions and/or data.
  • the embodiments of the present application provide a computer-readable storage medium that stores a computer program executable by a computer device.
  • the program runs on the computer device, the computer device executes the reverse sequence. Steps of the method of protection against vulnerabilities.
  • the embodiments of the present application provide a computer program product, including a calculation program stored on a computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer,
  • the computer device executes the steps of the deserialization vulnerability protection method.
  • a person of ordinary skill in the art can understand that all or part of the steps in the above method embodiments can be implemented by a program instructing relevant hardware.
  • the foregoing program can be stored in a computer readable storage medium. When the program is executed, it is executed. Including the steps of the foregoing method embodiment; and the foregoing storage medium includes: removable storage devices, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks, etc.
  • ROM read-only memory
  • RAM Random Access Memory
  • magnetic disks or optical disks etc.
  • the above-mentioned integrated unit of this application is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer readable storage medium.
  • the computer software product is stored in a storage medium and includes several instructions for A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: removable storage devices, ROM, RAM, magnetic disks or optical disks and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to the field of fintech, and disclosed are a method and device for protection from a deserialization vulnerability. The method comprises: a WebLogic server receives a data request sent by at least one client, and determines whether the data request comprises T3/T3S protocol data; if the WebLogic server determines that the data request comprises T3/T3S protocol data, determine whether the IP address of the client is a trusted IP address according to an internet protocol IP address of the client and a pre-configured IP address white list; and if the WebLogic server determines that the internet protocol IP address of the client is a trusted IP address, process the T3/T3S protocol data. By setting the white list in the WebLogic server, attacks of deserialization vulnerabilities are prevented as much as possible, and the security of the WebLogic server is improved.

Description

一种反序列化漏洞的防护方法及装置Method and device for protecting deserialization loopholes
相关申请的交叉引用Cross references to related applications
本申请要求在2019年05月24日提交中国专利局、申请号为201910438428.7、申请名称为“一种反序列化漏洞的防护方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on May 24, 2019, the application number is 201910438428.7, and the application name is "A method and device for protecting deserialization loopholes", the entire content of which is incorporated by reference In this application.
技术领域Technical field
本发明涉及金融科技(Fintech)技术领域,尤其涉及一种反序列化漏洞的防护方法及装置。The present invention relates to the technical field of financial technology (Fintech), in particular to a method and device for protecting deserialization loopholes.
背景技术Background technique
WebLogic是基于Java EE架构的中间件,可作为用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。广泛用于政府、金融、医疗、交通、教育、科研等行业及领域。WebLogic is a middleware based on the Java EE architecture, which can be used as a Java application server for the development, integration, deployment and management of large-scale distributed Web applications, network applications and database applications. It is widely used in government, finance, medical, transportation, education, scientific research and other industries and fields.
WebLogic存在Java反序列化漏洞,当攻击者向WebLogic发送精心构造的反序列化数据时,会触发漏洞,会执行攻击者指定的操作,可以控制服务器,窃取数据库中的数据,造成严重影响。WebLogic has a Java deserialization vulnerability. When an attacker sends carefully constructed deserialized data to WebLogic, the vulnerability will be triggered and the attacker's specified operation will be executed, which can control the server and steal data from the database, causing serious impact.
现有技术中,通常禁止对存在反序列化漏洞的类进行反序列化,但是现有技术中当出现新的引发反序列漏洞的类时,仍然可以利用漏洞,无法进行防护。且进行替换类、删除类操作时,由于替换的类为Java的基础类,影响范围太大;删除类时会导致依赖该类的功能无法使用,均有可能影响WebLogic的正常功能。In the prior art, it is generally forbidden to deserialize classes with deserialization vulnerabilities. However, in the prior art, when a new class that causes deserialization vulnerabilities appears, the vulnerabilities can still be exploited and protection cannot be performed. And when replacing or deleting a class, because the replaced class is a Java basic class, the scope of influence is too large; when deleting a class, the functions that depend on the class cannot be used, which may affect the normal functions of WebLogic.
发明内容Summary of the invention
有鉴于此,本发明实施例提供一种反序列化漏洞的防护方法及装置,至少解决了现有技术存在的问题。In view of this, the embodiments of the present invention provide a deserialization vulnerability protection method and device, which at least solve the problems existing in the prior art.
一方面,本发明实施例提供一种反序列化漏洞的防护方法,应用于WebLogic服务器中,包括:On the one hand, an embodiment of the present invention provides a method for protecting deserialization vulnerabilities, which is applied to a WebLogic server, including:
WebLogic服务器接收至少一个客户端发送的数据请求,确定所述数据请求中是否包括T3/T3S协议数据;The WebLogic server receives a data request sent by at least one client, and determines whether the data request includes T3/T3S protocol data;
若所述WebLogic服务器确定所述数据请求中包括T3/T3S协议数据,则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址;If the WebLogic server determines that the data request includes T3/T3S protocol data, determine whether the client's IP address is a trusted IP address according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist;
若所述WebLogic服务器确定所述客户端的网际协议IP地址为受信任IP地址,则处理所述T3/T3S协议数据,使请求被正常流程处理。If the WebLogic server determines that the Internet Protocol IP address of the client is a trusted IP address, it processes the T3/T3S protocol data so that the request is processed by the normal process.
可选的,所述WebLogic服务器根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址,包括:Optionally, the WebLogic server determines whether the client's IP address is a trusted IP address according to the client's Internet Protocol IP address and a pre-configured IP address whitelist, including:
所述WebLogic服务器执行MuxableSocketT3类时,获取所述WebLogic服务器的启动参数,所述启动参数中包括所述IP地址白名单;When the WebLogic server executes the MuxableSocketT3 class, acquiring startup parameters of the WebLogic server, where the startup parameters include the IP address whitelist;
若所述WebLogic服务器确定所述客户端的IP与所述IP地址白名单匹配,则确定所述客户端的IP地址为受信任IP地址。If the WebLogic server determines that the client's IP matches the IP address whitelist, it determines that the client's IP address is a trusted IP address.
可选的,所述方法还包括:Optionally, the method further includes:
若所述WebLogic服务器确定所述客户端的IP与所述IP地址白名单不匹配,则拒绝与所述客户端连接,并将所述数据请求作为攻击事件进行记录。If the WebLogic server determines that the client's IP does not match the IP address whitelist, it refuses to connect with the client, and records the data request as an attack event.
可选的,所述WebLogic服务器接收至少一个客户端发送的数据请求,包括:Optionally, the WebLogic server receiving a data request sent by at least one client includes:
所述WebLogic服务器通过代理服务器接收互联网客户端发送的数据请求以及所述WebLogic服务器接收同一局域网的客户端发送的数据请求。The WebLogic server receives the data request sent by the Internet client through the proxy server and the WebLogic server receives the data request sent by the client of the same local area network.
可选的,所述WebLogic服务器接收至少一个客户端发送的数据请求前,还包括:Optionally, before the WebLogic server receives a data request sent by at least one client, the method further includes:
所述WebLogic服务器确定MuxableSocketT3类的位置;所述WebLogic服务器在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。The WebLogic server determines the location of the MuxableSocketT3 class; the WebLogic server adds the steps of a deserialization vulnerability protection method in the MuxableSocketT3 class.
可选的,所述WebLogic服务器确定MuxableSocketT3类的位置,包括:Optionally, the WebLogic server determining the location of the MuxableSocketT3 class includes:
所述WebLogic服务器根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。The WebLogic server determines the location of the MuxableSocketT3 class according to whether the MuxableSocketT3 class exists alone.
一方面,本发明实施例提供一种反序列化漏洞的防护装置,包括:On the one hand, an embodiment of the present invention provides a device for protecting deserialization vulnerabilities, including:
T3/T3S协议数据确定单元,用于接收至少一个客户端发送的数据请求,确定所述数据请求中是否包括T3/T3S协议数据;The T3/T3S protocol data determining unit is configured to receive a data request sent by at least one client, and determine whether the data request includes T3/T3S protocol data;
判断单元,用于若确定所述数据请求中包括T3/T3S协议数据,则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址;A judging unit, configured to determine whether the client's IP address is a trusted IP address according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist if it is determined that the data request includes T3/T3S protocol data ;
T3/T3S协议数据处理单元,用于若确定所述客户端的网际协议IP地址为受信任IP地址,则处理所述T3/T3S协议数据,使请求被正常流程处理。The T3/T3S protocol data processing unit is configured to process the T3/T3S protocol data if it is determined that the Internet Protocol IP address of the client is a trusted IP address, so that the request is processed by a normal process.
可选的,所述判断单元具体用于:Optionally, the judgment unit is specifically configured to:
执行MuxableSocketT3类时,获取所述WebLogic服务器的启动参数,所述启动参数中包括所述IP地址白名单;When the MuxableSocketT3 class is executed, the startup parameters of the WebLogic server are acquired, and the startup parameters include the IP address whitelist;
若确定所述客户端的IP与所述IP地址白名单匹配,则确定所述客户端的IP地址为受信任IP地址。If it is determined that the IP of the client matches the white list of IP addresses, it is determined that the IP address of the client is a trusted IP address.
可选的,所述T3/T3S协议数据处理单元还用于:Optionally, the T3/T3S protocol data processing unit is further used for:
若确定所述客户端的IP与所述IP地址白名单不匹配,则拒绝与所述客户端连接,并将所述数据请求作为攻击事件进行记录。If it is determined that the IP of the client does not match the white list of IP addresses, the connection with the client is rejected, and the data request is recorded as an attack event.
可选的,所述T3/T3S协议数据确定单元具体用于:Optionally, the T3/T3S protocol data determining unit is specifically configured to:
通过代理服务器接收互联网客户端发送的数据请求以及接收同一局域网的客户端发送的数据请求。The proxy server receives data requests sent by Internet clients and data requests sent by clients on the same local area network.
可选的,所述装置还包括配置单元,所述配置单元用于:确定Optionally, the device further includes a configuration unit configured to: determine
MuxableSocketT3类的位置,在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。In the position of the MuxableSocketT3 class, the steps for the protection method of deserialization vulnerability are added to the MuxableSocketT3 class.
可选的,所述配置单元具体用于:Optionally, the configuration unit is specifically used for:
根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。The location of the MuxableSocketT3 class is determined according to whether the MuxableSocketT3 class exists alone.
一方面,本发明实施例提供一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现反序列化漏洞的防护方法的步骤。On the one hand, an embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor implements protection against deserialization vulnerabilities when the program is executed. Method steps.
一方面,本发明实施例提供了一种计算机可读存储介质,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行反序列化漏洞的防护方法的步骤。On the one hand, an embodiment of the present invention provides a computer-readable storage medium that stores a computer program executable by a computer device. When the program runs on the computer device, the computer device executes the deserialization vulnerability. Steps of protection methods.
一方面,本发明实施例提供了一种计算机程序产品,包括存储在计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机设备执行反序列化漏洞的防护方法的步骤。On the one hand, an embodiment of the present invention provides a computer program product, including a calculation program stored on a computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer The device executes the steps of the deserialization vulnerability protection method.
在WebLogic服务器接收客户端发送的数据请求后,若确定该数据请求包括T3/T3S协议数据,则说明可能受到Java反序列化漏洞攻击,所以继续根据IP地址白名单确定该客户端的IP地址是否为受信任的IP地址,若是,则处理T3/T3S协议数据,也就是说,通过在WebLogic服务器中设置白名单,能够有效地阻断不信任的客户端发送的T3/T3S协议数据,尽可能防止反序列化漏洞的攻击,提高了WebLogic服务器的安全性。并且在WebLogic服务器中设置白名单就能够有效防止反序列化漏洞的攻击,对于新出现的类引起的反序列化漏洞也能够进行防护。在防护反序列化漏洞时,没有对Java的基础类或其他公共组件的类进行修改,也没有进行删除类的处理,不会影响WebLogic的正常功能,避免了造成应用运行不稳定等问题。由于设置白名单都是与WebLogic服务器信任度较高的客户端(如内部运维人员使用的服务器),也不 会向WebLogic服务发起攻击,所以解决了现有技术中的问题。After the WebLogic server receives the data request sent by the client, if it is determined that the data request includes T3/T3S protocol data, it may be attacked by Java deserialization vulnerability, so continue to determine whether the client's IP address is based on the IP address whitelist The trusted IP address, if it is, will process the T3/T3S protocol data, that is, by setting a whitelist in the WebLogic server, it can effectively block the T3/T3S protocol data sent by untrusted clients, and prevent it as much as possible The attack of deserialization vulnerability improves the security of WebLogic server. And setting a whitelist in the WebLogic server can effectively prevent the attack of deserialization vulnerabilities, and it can also protect against deserialization vulnerabilities caused by newly emerging classes. When protecting against deserialization vulnerabilities, the basic classes of Java or the classes of other public components are not modified, nor are classes deleted, which will not affect the normal functions of WebLogic and avoid problems such as unstable application operation. Since the whitelists are all clients that have a high degree of trust with the WebLogic server (such as servers used by internal operation and maintenance personnel), they will not launch attacks on the WebLogic service, so the problems in the prior art are solved.
附图说明Description of the drawings
图1为本发明实施例提供的一种代理服务器部署在与WebLogic服务器独立的其他服务器的场景示意图;FIG. 1 is a schematic diagram of a scenario where a proxy server is deployed on another server independent of the WebLogic server according to an embodiment of the present invention;
图2为本发明实施例提供的一种将代理应用与WebLogic部署在同一台服务器中的场景示意图;FIG. 2 is a schematic diagram of a scenario where a proxy application and WebLogic are deployed on the same server according to an embodiment of the present invention;
图3为本发明实施例提供的一种反序列化漏洞的防护方法的流程示意图;3 is a schematic flowchart of a method for protecting deserialization vulnerabilities according to an embodiment of the present invention;
图4为本发明实施例提供的一种WebLogic的处理流程的示意图;4 is a schematic diagram of a WebLogic processing flow provided by an embodiment of the present invention;
图5为本发明实施例提供的一种MuxableSocketT3定位方法的流程示意图;5 is a schematic flowchart of a MuxableSocketT3 positioning method provided by an embodiment of the present invention;
图6为本发明实施例提供的一种MuxableSocketT3定位方法的流程示意图;6 is a schematic flowchart of a MuxableSocketT3 positioning method provided by an embodiment of the present invention;
图7为本发明实施例提供的一种反序列化漏洞的防护方法的流程示意图;FIG. 7 is a schematic flowchart of a method for protecting deserialization vulnerabilities according to an embodiment of the present invention;
图8为本发明实施例提供的一种反序列化漏洞的防护装置的结构示意图;FIG. 8 is a schematic structural diagram of a protection device for deserialization vulnerabilities provided by an embodiment of the present invention;
图9为本发明实施例提供的一种计算机设备的结构示意图。FIG. 9 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solutions, and beneficial effects of the present application clearer, the following further describes the present application in detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the application, but not to limit the application.
为了方便理解,下面对本申请实施例中涉及的名词进行解释。To facilitate understanding, the terms involved in the embodiments of the present application are explained below.
WebLogic:WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE(Java平台企业版)架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。将Java的动态功能和Java Enterprise标准的安全性引入大型网络应用的开发、集成、部署和管理之中。WebLogic: WebLogic is an application server produced by Oracle Corporation of the United States. To be precise, it is a middleware based on JAVAEE (Java Platform Enterprise Edition) architecture. WebLogic is used to develop, integrate, deploy and manage large-scale distributed Web applications and network applications. And the Java application server for database applications. The dynamic functions of Java and the security of Java Enterprise standards are introduced into the development, integration, deployment and management of large-scale network applications.
序列化与反序列化,序列化的过程就是把一个对象变成可以传输的数据,而反序列化的过程就是把序列化数据再变回对象的过程。Serialization and deserialization, the process of serialization is to turn an object into data that can be transmitted, and the process of deserialization is the process of turning serialized data back into an object.
反序列化漏洞,如果Java应用对用户输入,即不可信数据做了反序列化处理,那么攻击者可以通过构造恶意输入,让反序列化产生非预期的对象,非预期的对象在产生过程中就有可能带来任意代码执行。在利用WebLogic Java反序列化漏洞时,需要向WebLogic提供服务的端口发送T3/T3S协议数据包。T3是一种优化协议,用于在WebLogic Server和其他Java程序(包括客户端和其他WebLogic Server)之间传输数据。WebLogic Server会跟踪与其连接的每个Java虚拟机(Java Virtual Machine,JVM),并创建单个T3连接以承载每个JVM的所有流量。T3S是在SSL(Secure Sockets Layer,安全套接字层)上的WebLogic T3协议。Deserialization vulnerability. If a Java application deserializes user input, that is, untrusted data, an attacker can construct malicious input to make deserialization produce unexpected objects, which are in the process of being generated. It may bring arbitrary code execution. When exploiting WebLogic Java deserialization vulnerabilities, it is necessary to send T3/T3S protocol packets to the port where WebLogic provides services. T3 is an optimized protocol used to transfer data between WebLogic Server and other Java programs (including clients and other WebLogic Servers). WebLogic Server will track each Java Virtual Machine (JVM) connected to it, and create a single T3 connection to carry all the traffic of each JVM. T3S is the WebLogic T3 protocol on SSL (Secure Sockets Layer).
在具体实践过程中,本发明的发明人发现,在WebLogic的默认服务端口为7001,该端口提供了对HTTP(Hyper Text Transfer Protocol,超文本传输协议)/HTTPS(Hypertext Transfer Protocol Secure,超文本安全传输协议)、SNMP(Simple Network Management Protocol,简单网络管理协议)、T3/T3S等协议的服务。由于WebLogic的不同协议均使用一个端口,因此无法通过防火墙限制端口访问的方式防护Java反序列化漏洞。而随着金融科技的发展,在金融行业内的金融机构(如银行机构、保险机构和证券机构等)对技术的要求也越来越高。传统反序列化方式严重不符合银行机构等金融机构的要求。所以首先提出一种构思,在客户与银行等金融机构的WebLogic服务器之间增加代理服务器,使Java反序列化漏洞的请求数据被代理服务器过滤,不会发送给WebLogic服务器。In the specific practice, the inventor of the present invention found that the default service port in WebLogic is 7001, which provides a connection to HTTP (Hypertext Transfer Protocol)/HTTPS (Hypertext Transfer Protocol Secure, Hypertext Security). Transmission protocol), SNMP (Simple Network Management Protocol, Simple Network Management Protocol), T3/T3S and other protocol services. Because different protocols of WebLogic use one port, it is impossible to prevent Java deserialization vulnerabilities by restricting port access through firewalls. With the development of financial technology, financial institutions in the financial industry (such as banking institutions, insurance institutions and securities institutions, etc.) have higher and higher technical requirements. Traditional deserialization methods seriously fail to meet the requirements of banking institutions and other financial institutions. Therefore, a concept was first proposed to add a proxy server between the customer and the WebLogic server of a financial institution such as a bank, so that the request data of Java deserialization vulnerability is filtered by the proxy server and will not be sent to the WebLogic server.
该防护思路是使用户发送的数据中,只有满足HTTP/HTTPS协议的数据可以经过代理服务器进而转发给WebLogic服务器,由于Java反序列化数据的协议为T3/T3S,不满足HTTP/HTTPS协议,因此会被代理服务器进行过滤,WebLogic服务器无法接收到Java反序列化数据,因此可以防护漏洞。The protection idea is to make the data sent by the user only meet the HTTP/HTTPS protocol can be forwarded to the WebLogic server through the proxy server, because the Java deserialized data protocol is T3/T3S, does not meet the HTTP/HTTPS protocol, so It will be filtered by the proxy server, and the WebLogic server cannot receive Java deserialized data, so it can protect against vulnerabilities.
但是本申请的申请人在实验过程中发现,代理服务器的位置不同,会导致不同的结果,具体的有几种不同的部署方案:However, the applicant of this application discovered during the experiment that the location of the proxy server will lead to different results. There are several different deployment schemes:
部署方案1、代理服务器部署在与WebLogic服务器独立的其他服务器, 如图1所示,将代理服务器部署在与WebLogic服务器独立的其他服务器时,需要在WebLogic管理台将监听IP地址设置为“0.0.0.0”,使代理服务器可以访问WebLogic提供的服务。Deployment plan 1. The proxy server is deployed on other servers independent of the WebLogic server. As shown in Figure 1, when the proxy server is deployed on other servers independent of the WebLogic server, the listening IP address needs to be set to "0.0." in the WebLogic management console. 0.0", so that the proxy server can access the services provided by WebLogic.
WebLogic提供服务的端口可以保持不变,继续监听原有端口。例如WebLogic原有监听端口为7001,继续使用该端口。The port provided by WebLogic can remain unchanged and continue to monitor the original port. For example, WebLogic's original listening port is 7001, so continue to use this port.
在这种部署方式下,正常用户可以通过代理服务器正常访问WebLogic提供的服务,攻击者无法通过互联网向WebLogic发送T3/T3S协议的Java反序列化漏洞利用数据包,该种部署方式的局域网中的其他服务器(包括代理服务器)仍然可以正常访问WebLogic提供的T3/T3S协议的服务。In this deployment method, normal users can normally access the services provided by WebLogic through the proxy server, and the attacker cannot send T3/T3S protocol Java deserialization exploit data packets to WebLogic via the Internet. Other servers (including proxy servers) can still access the T3/T3S protocol services provided by WebLogic normally.
但是该种部署的缺点是,如图1所示,假如攻击者通过其他漏洞或安全问题控制了局域网中的其他服务器(包括代理服务器),可以通过被控制机器从局域网内向WebLogic服务器发送Java反序列化漏洞利用数据包,对漏洞进行利用。也就是说,仅能防护通过互联网发起的反序列化漏洞攻击,无法防护局域网内其他服务器发起的漏洞攻击。However, the disadvantage of this deployment is that, as shown in Figure 1, if an attacker controls other servers (including proxy servers) in the LAN through other vulnerabilities or security issues, the controlled machine can send Java anti-sequence from the LAN to the WebLogic server. Exploiting the vulnerability exploit data package to exploit the vulnerability. In other words, it can only protect against deserialization vulnerability attacks initiated via the Internet, and cannot protect against vulnerability attacks initiated by other servers in the LAN.
部署方案2、将代理应用与WebLogic部署在同一台服务器中,如图2所示。代理应用可与WebLogic部署在同一台服务器,可将WebLogic监听IP地址设置为“127.0.0.1”;或将监听IP地址设置为“0.0.0.0”,并通过防火墙对允许访问WebLogic服务端口的IP进行限制。通过以上设置,可以限制只有本机能够访问WebLogic提供的服务,其他机器无法访问。例如使用Linux操作系统的iptables命令,设置仅允许“127.0.0.1”IP地址/loopback回环网络接口访问WebLogic的服务端口,可以完成上述限制。Deployment plan 2. Deploy the proxy application and WebLogic on the same server, as shown in Figure 2. The proxy application can be deployed on the same server as WebLogic, and the listening IP address of WebLogic can be set to "127.0.0.1"; or the listening IP address can be set to "0.0.0.0", and the IP that is allowed to access the WebLogic service port is checked through the firewall limit. Through the above settings, it is possible to restrict that only this machine can access the services provided by WebLogic, and other machines cannot. For example, using the iptables command of the Linux operating system and setting only the "127.0.0.1" IP address/loopback network interface to access the WebLogic service port, the above restrictions can be completed.
WebLogic提供服务的端口需要修改为其他端口,由代理服务器监听WebLogic原本提供服务的端口。例如WebLogic原有监听端口为7001,改为使用8001端口,由代理应用监听7001端口。The port provided by WebLogic needs to be modified to another port, and the proxy server monitors the port originally provided by WebLogic. For example, the original monitoring port of WebLogic is 7001, but port 8001 is used instead, and the proxy application monitors port 7001.
在这种部署方式下,正常用户可以通过代理服务器正常访问WebLogic提供的服务,攻击者无法通过互联网向WebLogic发送T3/T3S协议的Java反序列化漏洞利用数据包,也无法通过被控制的局域网的其他服务器发送。In this deployment method, normal users can normally access the services provided by WebLogic through the proxy server. Attackers cannot send T3/T3S protocol Java deserialization exploit packets to WebLogic via the Internet, nor can they pass through the controlled LAN. Other servers send.
但是该种部署方式的缺点是需要修改WebLogic提供服务的端口,并调整网络策略,可能影响正常的业务功能;需要在WebLogic服务器新增代理应用,会增加服务器的性能开销,可能影响正常业务功能;限制了WebLogic的服务端口只能在本机访问,由于无法在局域网其他服务器访问WebLogic提供的T3/T3S服务,会导致只能在WebLogic服务器本机对WebLogic进行命令管理,无法对WebLogic服务进行远程命令管理,降低了WebLogic的可用性,对运维产生了影响;按照以上部署方案进行调整之后,为了验证是否影响正常的业务功能,需要测试的范围较大,会带来较大的测试工作量。However, the disadvantage of this deployment method is that it needs to modify the service port provided by WebLogic and adjust the network strategy, which may affect normal business functions; the need to add proxy applications to the WebLogic server will increase the server's performance overhead and may affect normal business functions; The service port of WebLogic can only be accessed on the local machine. As the T3/T3S service provided by WebLogic cannot be accessed on other servers in the local area network, WebLogic can only be managed on the local machine of the WebLogic server, and remote commands cannot be performed on the WebLogic service. Management reduces the availability of WebLogic and has an impact on operation and maintenance; after adjusting according to the above deployment plan, in order to verify whether the normal business functions are affected, a larger scope of testing is required, which will bring a larger test workload.
基于上述部署的缺点,本申请的申请人进一步改进了反序列化漏洞的防护方法,具体如图3所示,包括以下步骤:Based on the shortcomings of the above deployment, the applicant of this application further improved the method of protecting deserialization vulnerabilities, as shown in Figure 3, including the following steps:
步骤S301,WebLogic服务器接收至少一个客户端发送的数据请求,确定所述数据请求中是否包括T3/T3S协议数据。Step S301: The WebLogic server receives a data request sent by at least one client, and determines whether the data request includes T3/T3S protocol data.
具体的,在本发明实施例中,WebLogic服务器接收至少一个客户端发送的数据请求,一个WebLogic服务器与至少一个客户端连接,并接收客户端发送的数据请求。Specifically, in the embodiment of the present invention, the WebLogic server receives a data request sent by at least one client, and a WebLogic server connects with at least one client, and receives the data request sent by the client.
一种可选的实施例中,WebLogic服务器接收到的数据请求中包括T3/T3S协议数据,也就是说,该数据请求可能造成反序列化漏洞的攻击。具体的,当需要在WebLogic服务器本机执行WebLogic的停止或启动脚本,客户端会向WebLogic服务器发送T3/T3S协议数据;当需要通过WLST(WebLogic Scripting Tool,WebLogic脚本工具)对WebLogic进行命令方式的配置、管理时,客户端会向WebLogic服务器发送T3/T3S协议数据;当需要编写使用T3/T3S协议进行通信的程序对WebLogic进行监控及管理等功能时,客户端会向WebLogic服务器发送T3/T3S协议数据。In an optional embodiment, the data request received by the WebLogic server includes T3/T3S protocol data, that is, the data request may cause an attack of deserialization vulnerability. Specifically, when it is necessary to execute WebLogic's stop or start script on the WebLogic server, the client will send T3/T3S protocol data to the WebLogic server; when it is necessary to use WLST (WebLogic Scripting Tool, WebLogic scripting tool) to command WebLogic During configuration and management, the client will send T3/T3S protocol data to the WebLogic server; when it is necessary to write a program that uses the T3/T3S protocol to communicate to monitor and manage WebLogic, the client will send T3/T3S to the WebLogic server Protocol data.
步骤S302,若所述WebLogic服务器确定所述数据请求中包括T3/T3S协议数据,则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址。Step S302: If the WebLogic server determines that the data request includes T3/T3S protocol data, it determines whether the client's IP address is trusted according to the client's Internet Protocol IP address and a pre-configured IP address whitelist IP address.
具体的,在确定WebLogic服务器接收的客户端发送的数据请求中包括 T3/T3S协议数据,即说明该数据请求可能为反序列化漏洞利用数据,可能导致WebLogic服务器被攻击,所以为了提高WebLogic服务器的安全性,通过预先配置的IP地址白名单以及发送该T3/T3S协议数据的客户端的IP地址,来判断需要对该T3/T3S协议数据进行正常处理还是拒绝请求。Specifically, it is determined that the data request sent by the client received by the WebLogic server includes T3/T3S protocol data, which means that the data request may be deserialized exploit data, which may cause the WebLogic server to be attacked, so in order to improve the WebLogic server’s performance Security, through the pre-configured IP address whitelist and the IP address of the client sending the T3/T3S protocol data, it is determined whether the T3/T3S protocol data needs to be processed normally or the request is rejected.
可选的通过确定客户端的IP地址是否为受信任的IP地址来确定是否对T3/T3S协议数据进行处理,也就是说,在本发明实施例中,可以认为IP地址白名单中的客户端为安全性较高的客户端,这类客户端的可信度也极高,若这些客户端也被劫持,则可以认为所有的服务器都已被攻击者控制了。Optionally, determine whether to process the T3/T3S protocol data by determining whether the client's IP address is a trusted IP address, that is, in the embodiment of the present invention, the client in the IP address whitelist can be considered as Clients with higher security have extremely high credibility. If these clients are also hijacked, it can be considered that all servers have been controlled by the attacker.
所以符合IP地址白名单的客户端为可以信任的客户端,该客户端发送的T3/T3S协议数据为可信任的,而不符合IP地址白名单的客户端为不可以信任的客户端,则该客户端发送的T3/T3S协议数据也是不可信任的。Therefore, a client that meets the IP address whitelist is a trusted client, and the T3/T3S protocol data sent by the client is trusted, and a client that does not meet the IP address whitelist is an untrusted client. The T3/T3S protocol data sent by the client is also untrustworthy.
在本发明实施例中,WebLogic服务器中的IP地址白名单是预先设置的,该IP地址白名单是根据整个网络中各个客户端的安全等级确定的,可选的,在Java程序的启动参数中增加配置文件名,该配置文件名为IP地址白名单,则IP地址白名单改变时,可以通过修改该配置文件或者新增该配置文件或者替换该配置文件来实现。In the embodiment of the present invention, the IP address whitelist in the WebLogic server is preset. The IP address whitelist is determined according to the security level of each client in the entire network. Optionally, it is added to the startup parameters of the Java program The configuration file name. The configuration file name is the IP address whitelist. When the IP address whitelist is changed, it can be realized by modifying the configuration file or adding the configuration file or replacing the configuration file.
可选的,在本发明实施例中,WebLogic服务器想要实现IP地址白名单的判断,还需要确定在WebLogic服务器中处理T3/T3S的类。Optionally, in the embodiment of the present invention, if the WebLogic server wants to realize the judgment of the IP address whitelist, it also needs to determine the class of processing T3/T3S in the WebLogic server.
具体的,可以通过历史WebLogic Java反序列化漏洞触发时,在WebLogic日志中记录的异常信息来确定WebLogic服务器中处理T3/T3S的类。Specifically, the abnormal information recorded in the WebLogic log when the historical WebLogic Java deserialization vulnerability is triggered can be used to determine the T3/T3S class in the WebLogic server.
在异常信息中包含了漏洞触发时的堆栈信息,根据堆栈信息可以了解WebLogic的处理流程。经过分析发现,当漏洞触发时,WebLogic会按照固定的步骤对T3/T3S协议数据进行处理,分别经过了线程相关类、套接字相关类的处理,最后进行Java反序列化处理,具体过程如图4所示,经过分析后可以确认WebLogic处理T3协议的类为“WebLogic.rjvm.t3.MuxableSocketT3”;处理T3S协议的类为“WebLogic.rjvm.t3.MuxableSocketT3S”,继承自MuxableSocketT3类,且MuxableSocketT3S类中没有对协议处理过程进行修 改,因此只需要处理MuxableSocketT3类。The exception information contains the stack information when the vulnerability is triggered, and the processing flow of WebLogic can be understood according to the stack information. After analysis, it is found that when the vulnerability is triggered, WebLogic will process the T3/T3S protocol data according to fixed steps. After the thread-related classes and socket-related classes are processed, the Java deserialization process is finally performed. The specific process is as follows As shown in Figure 4, after analysis, it can be confirmed that the class that WebLogic handles the T3 protocol is "WebLogic.rjvm.t3.MuxableSocketT3"; the class that handles the T3S protocol is "WebLogic.rjvm.t3.MuxableSocketT3S", which inherits from the MuxableSocketT3 class and MuxableSocketT3S There is no modification to the protocol processing in the class, so only the MuxableSocketT3 class needs to be processed.
也就是说,也就是说,修改WebLogic服务器的MuxableSocketT3类,可以增加判断IP地址是否在白名单中的判断过程。That is to say, modifying the MuxableSocketT3 class of the WebLogic server can increase the judging process of judging whether the IP address is in the whitelist.
具体的,在对MuxableSocketT3类进行优化前,需要定位MuxableSocketT3所在的jar包路径,可以通过以下方法对MuxableSocketT3进行定位。Specifically, before optimizing the MuxableSocketT3 class, you need to locate the jar package path where MuxableSocketT3 is located. You can locate MuxableSocketT3 through the following methods.
第一种方法,当MuxableSocketT3类单独存在时,在WebLogic中安装任意一个J2EE应用,在应用目录中JSP(Java Server Pages,JAVA服务器页面)文件可以被解析的位置创建JSP文件,保存以下内容,用于输出MuxableSocketT3类所在的jar包位置,具体如图5所示,包括:The first method, when the MuxableSocketT3 class exists alone, install any J2EE application in WebLogic, create a JSP file in the application directory where the JSP (Java Server Pages, JAVA server page) file can be parsed, and save the following content with The jar package location where the MuxableSocketT3 class is output, as shown in Figure 5, including:
步骤S501,获取WebLogic.rjvm.t3.MuxableSocketT3类的class对象;Step S501: Obtain a class object of WebLogic.rjvm.t3.MuxableSocketT3;
步骤S502,调用上述对象的getResource(””).getPath()方法;Step S502, call the getResource("").getPath() method of the above object;
步骤S503,获取上述方法返回的MuxableSocketT3类所在jar包路径;Step S503: Obtain the jar package path where the MuxableSocketT3 class returned by the above method is located;
步骤S504,打印MuxableSocketT3类所在jar包路径。Step S504, print the path of the jar package where the MuxableSocketT3 class is located.
第二种方法,当MuxableSocketT3类存在jar包中,在WebLogic中安装任意一个J2EE应用,在应用目录中JSP文件可以被解析的位置创建JSP文件,保存以下内容,用于输出MuxableSocketT3类所在的jar包位置,具体如图6所示,包括:The second method, when the MuxableSocketT3 class exists in the jar package, install any J2EE application in WebLogic, create a JSP file in the application directory where the JSP file can be parsed, and save the following content to output the jar package where the MuxableSocketT3 class is located The location, as shown in Figure 6, includes:
步骤S601,获取WebLogic.rjvm.t3.MuxableSocketT3类的class对象;Step S601: Obtain a class object of WebLogic.rjvm.t3.MuxableSocketT3;
步骤S602,调用上述对象的getProtectionDomain().getCodeSource().Step S602, call getProtectionDomain().getCodeSource() of the above object.
getFile()方法;getFile() method;
步骤S603,获取上述方法返回的MuxableSocketT3类所在jar包路径;Step S603, obtain the jar package path where the MuxableSocketT3 class returned by the above method is located;
步骤S604,打印MuxableSocketT3类所在jar包路径。Step S604, print the path of the jar package where the MuxableSocketT3 class is located.
使用浏览器访问上述创建的JSP文件,会输出MuxableSocketT3类所在jar包的完整路径。Use a browser to access the JSP file created above, and it will output the full path of the jar package where the MuxableSocketT3 class is located.
在定位了MuxableSocketT3类所在jar包后,开始改进MuxableSocketT3类的T3/T3S协议处理流程,以便WebLogic服务器能够在接收到T3/T3S协议后,确定客户端的IP地址是否为白名单中的IP地址。After locating the jar package where the MuxableSocketT3 class is located, start to improve the T3/T3S protocol processing flow of the MuxableSocketT3 class so that the WebLogic server can determine whether the client's IP address is an IP address in the whitelist after receiving the T3/T3S protocol.
在完成对MuxableSocketT3类的改进后,需要将其所在jar包中的MuxableSocketT3类相关的文件更新为改进后的类,重启WebLogic后即可生效。After completing the improvement to the MuxableSocketT3 class, you need to update the MuxableSocketT3 class related files in the jar package to the improved class, which will take effect after restarting WebLogic.
通过上述内容可知,若WebLogic服务器确定客户端的IP与IP地址白名单匹配,则确定客户端的IP地址是否为受信任IP地址。It can be known from the foregoing that if the WebLogic server determines that the client's IP matches the IP address whitelist, it determines whether the client's IP address is a trusted IP address.
步骤S303,若所述WebLogic服务器确定所述客户端的网际协议IP地址为受信任IP地址,则处理所述T3/T3S协议数据,使请求被正常流程处理。Step S303: If the WebLogic server determines that the Internet Protocol IP address of the client is a trusted IP address, it processes the T3/T3S protocol data so that the request is processed by the normal process.
具体的,当确定了客户端为受信任的客户端后,则执行T3/T3S协议数据,例如WebLogic服务器本机执行WebLogic的停止脚本或启动脚本;或者WebLogic执行命令方式的配置、管理等操作;或者WebLogic执行监控及管理等功能操作。Specifically, when the client is determined to be a trusted client, the T3/T3S protocol data is executed, for example, the WebLogic server locally executes WebLogic's stop script or startup script; or WebLogic executes command configuration and management operations; Or WebLogic performs functional operations such as monitoring and management.
一种可选的实施例,当WebLogic服务器确定所述客户端的IP与所述IP地址白名单不匹配,则拒绝与所述客户端连接,并将所述数据请求作为攻击事件进行记录,将攻击事件进行记录可以进行攻击事件的分析。In an optional embodiment, when the WebLogic server determines that the client's IP does not match the IP address whitelist, it refuses to connect with the client, and records the data request as an attack event, and the attack Event recording allows analysis of attack events.
在本发明实施例中,为了避免WebLogic服务器端口直接在互联网暴露后产生其他潜在的安全问题,也可以在用户与WebLogic服务器之间部署代理服务器,该代理服务器可以部署在单独的服务器,不会增加WebLogic服务器的性能开销,不会影响正常业务;进行验证时,需要测试的范围较小,测试工作量也较小。不会影响正常功能,也不存在Java反序列化漏洞的隐患。In the embodiment of the present invention, in order to avoid other potential security problems after the WebLogic server port is directly exposed on the Internet, a proxy server can also be deployed between the user and the WebLogic server. The proxy server can be deployed on a separate server without increasing The performance overhead of the WebLogic server will not affect normal business; when performing verification, the scope of the test is small and the test workload is also small. It will not affect normal functions, and there is no hidden danger of Java deserialization vulnerabilities.
也就是说,WebLogic服务器通过代理服务器接收互联网客户端发送的数据请求以及WebLogic服务器接收同一局域网的客户端发送的数据请求。不会增加WebLogic服务器的性能开销,不会影响正常业务;进行验证时,需要测试的范围较小,测试工作量也较小。不会影响正常功能,也不存在Java反序列化漏洞的隐患。In other words, the WebLogic server receives data requests sent by Internet clients through the proxy server and the WebLogic server receives data requests sent by clients on the same local area network. It will not increase the performance overhead of the WebLogic server and will not affect the normal business; when verifying, the scope of the test is small and the test workload is also small. It will not affect normal functions, and there is no hidden danger of Java deserialization vulnerabilities.
通过本发明上述实施例的内容,在不影响正常用户使用各业务功能的前提下,攻击者无法在互联网利用WebLogic Java反序列化漏洞,也无法在控制 局域网其他服务器后利用WebLogic Java反序列化漏洞,与现有技术相比,控制WebLogic提供的T3/T3S服务仅能通过受信任的服务器访问,例如WebLogic服务器本机或运维人员使用的防护措施完善的服务器,能够对未知类造成的Java反序列化漏洞进行防护,在最大程度上保护WebLogic不受Java反序列化漏洞影响;并且允许受信任的其他服务器访问WebLogic提供的T3/T3S服务,可以在受信任的其他服务器对WebLogic服务进行远程命令管理,不影响WebLogic的可用性,不会对运维产生影响;能够在攻击者尝试利用WebLogic Java反序列化漏洞时进行感知,获得威胁情报信息;不需要修改WebLogic提供服务的端口,不需要调整网络策略,不会影响正常的业务功能;不需要在WebLogic服务器新增代理应用,不会增加WebLogic服务器的性能开销,不会影响正常业务;按照本发明实施例中的方法在WebLogic中增加白名单判断之后,为了验证是否影响正常的业务功能,需要测试的范围较小,测试工作量也较小。Through the content of the above-mentioned embodiments of the present invention, without affecting normal users to use various business functions, attackers cannot use WebLogic Java deserialization vulnerabilities on the Internet, nor can they use WebLogic Java deserialization vulnerabilities after controlling other servers in the LAN. Compared with the prior art, the T3/T3S service provided by WebLogic can only be accessed through trusted servers. For example, the WebLogic server's native machine or the server with perfect protection measures used by operation and maintenance personnel can react to Java caused by unknown classes. Serialization vulnerabilities are protected to the greatest extent possible to protect WebLogic from Java deserialization vulnerabilities; and other trusted servers are allowed to access T3/T3S services provided by WebLogic, and WebLogic services can be remotely commanded from other trusted servers Management, does not affect the availability of WebLogic, and does not affect operation and maintenance; it can perceive and obtain threat intelligence information when an attacker tries to exploit WebLogic Java deserialization vulnerabilities; it does not need to modify the service port provided by WebLogic, or adjust the network The strategy does not affect normal business functions; there is no need to add a proxy application to the WebLogic server, does not increase the performance overhead of the WebLogic server, and does not affect the normal business; according to the method in the embodiment of the present invention, a whitelist judgment is added to WebLogic Later, in order to verify whether it affects normal business functions, the scope of testing is small and the testing workload is also small.
为了更好的解释本申请实施例,下面结合具体的实施场景描述本申请实施例提供的一种反序列化漏洞的防护方法,该方法应用在银行等金融机构所在的WebLogic服务器中,在WebLogic服务器的Java程序的启动参数中增加配置文件名,即增加了IP地址白名单,用于动态配置允许WebLogic接收T3/T3S协议的受信任IP,即对受信任IP进行修改后,不需要重启WebLogic服务器即可生效。在MuxableSocketT3类用于处理T3/T3S协议数据的dispatch方法中,每次接收到T3/T3S协议请求时,从指定的配置文件中读取受信任IP,判断当前请求IP是否为受信任IP,若为受信任的IP则继续处理T3/T3S协议;若不是受信任的IP则拒绝连接并在特定日志文件中记录攻击事件的详细信息。MuxableSocketT3类的dispatch方法优化后流程如图7所示,应用于WebLogic服务器中,具体步骤为:In order to better explain the embodiments of this application, the following describes a deserialization vulnerability protection method provided by the embodiments of this application in conjunction with specific implementation scenarios. This method is applied to the WebLogic server where the bank and other financial institutions are located. The configuration file name is added to the startup parameters of the Java program, that is, the IP address whitelist is added, which is used to dynamically configure the trusted IP that allows WebLogic to receive the T3/T3S protocol, that is, after modifying the trusted IP, there is no need to restart the WebLogic server To take effect. In the dispatch method of MuxableSocketT3 class for processing T3/T3S protocol data, every time a T3/T3S protocol request is received, the trusted IP is read from the specified configuration file to determine whether the current request IP is a trusted IP. If it is a trusted IP, it will continue to process the T3/T3S protocol; if it is not a trusted IP, the connection will be rejected and the attack event details will be recorded in a specific log file. The optimized dispatch method of the MuxableSocketT3 class is shown in Figure 7 and applied to the WebLogic server. The specific steps are:
步骤S701,接收T3/T3S协议数据;Step S701, receiving T3/T3S protocol data;
步骤S702,获取Java程序启动参数中配置的IP地址白名单;Step S702, obtaining a whitelist of IP addresses configured in the startup parameters of the Java program;
步骤S703,判断当前的发送T3/T3S协议数据的客户端的IP地址是否与 IP地址白名单中的IP地址匹配,若是,则执行步骤S704;否则,执行步骤S705;Step S703: It is judged whether the IP address of the current client sending T3/T3S protocol data matches the IP address in the IP address whitelist, if yes, go to step S704; otherwise, go to step S705;
步骤S704,执行T3/T3S协议数据;Step S704, execute T3/T3S protocol data;
步骤S705,拒绝与客户端的连接,并在将数据请求作为攻击事件进行记录。Step S705: Reject the connection with the client, and record the data request as an attack event.
基于相同的技术构思,本申请实施例提供了一种反序列化漏洞的防护装置,如图8所示,该装置800包括:Based on the same technical concept, an embodiment of the present application provides a device for protecting deserialization vulnerabilities. As shown in FIG. 8, the device 800 includes:
T3/T3S协议数据确定单元801,用于接收至少一个客户端发送的数据请求,确定所述数据请求中是否包括T3/T3S协议数据;The T3/T3S protocol data determining unit 801 is configured to receive a data request sent by at least one client, and determine whether the data request includes T3/T3S protocol data;
判断单元802,用于若确定所述数据请求中包括T3/T3S协议数据,则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址;The judging unit 802 is configured to, if it is determined that the data request includes T3/T3S protocol data, determine whether the IP address of the client is a trusted IP according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist address;
T3/T3S协议数据处理单元803,用于若确定所述客户端的网际协议IP地址为受信任IP地址,则处理所述T3/T3S协议数据,使请求被正常流程处理。The T3/T3S protocol data processing unit 803 is configured to process the T3/T3S protocol data if it is determined that the Internet Protocol IP address of the client is a trusted IP address, so that the request is processed by the normal process.
进一步地,判断单元802具体用于:Further, the determining unit 802 is specifically configured to:
执行MuxableSocketT3类时,获取所述WebLogic服务器的启动参数,所述启动参数中包括所述IP地址白名单;When the MuxableSocketT3 class is executed, the startup parameters of the WebLogic server are acquired, and the startup parameters include the IP address whitelist;
若确定所述客户端的IP与所述IP地址白名单匹配,则确定所述客户端的IP地址为受信任IP地址。If it is determined that the IP of the client matches the white list of IP addresses, it is determined that the IP address of the client is a trusted IP address.
进一步地,T3/T3S协议数据处理单元803还用于:Further, the T3/T3S protocol data processing unit 803 is also used for:
若确定所述客户端的IP与所述IP地址白名单不匹配,则拒绝与所述客户端连接,并将所述数据请求作为攻击事件进行记录。If it is determined that the IP of the client does not match the white list of IP addresses, the connection with the client is rejected, and the data request is recorded as an attack event.
进一步地,T3/T3S协议数据确定单元801具体用于:Further, the T3/T3S protocol data determining unit 801 is specifically configured to:
通过代理服务器接收互联网客户端发送的数据请求以及接收同一局域网的客户端发送的数据请求。The proxy server receives data requests sent by Internet clients and data requests sent by clients on the same local area network.
进一步地,所述装置还包括配置单元804:Further, the device further includes a configuration unit 804:
用于确定MuxableSocketT3类的位置,在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。It is used to determine the position of the MuxableSocketT3 class, and add the steps of the deserialization vulnerability protection method in the MuxableSocketT3 class.
进一步地,所述配置单元804具体用于:Further, the configuration unit 804 is specifically configured to:
根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。The location of the MuxableSocketT3 class is determined according to whether the MuxableSocketT3 class exists alone.
基于相同的技术构思,本申请实施例提供了一种计算机设备,如图9所示,包括至少一个处理器901,以及与至少一个处理器连接的存储器902,本申请实施例中不限定处理器901与存储器902之间的具体连接介质,图9中处理器901和存储器902之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, an embodiment of the present application provides a computer device. As shown in FIG. 9, it includes at least one processor 901 and a memory 902 connected to the at least one processor. The embodiment of the present application does not limit the processor. The specific connection medium between the 901 and the memory 902 is the connection between the processor 901 and the memory 902 through a bus in FIG. 9 as an example. The bus can be divided into address bus, data bus, control bus, etc.
在本申请实施例中,存储器902存储有可被至少一个处理器901执行的指令,至少一个处理器901通过执行存储器902存储的指令,可以执行前述的反序列化漏洞的防护方法中所包括的步骤。In the embodiment of the present application, the memory 902 stores instructions that can be executed by at least one processor 901. By executing the instructions stored in the memory 902, the at least one processor 901 can execute the aforementioned deserialization vulnerability protection method. step.
其中,处理器901是计算机设备的控制中心,可以利用各种接口和线路连接终端设备的各个部分,通过运行或执行存储在存储器902内的指令以及调用存储在存储器902内的数据,从而获得客户端地址。可选的,处理器901可包括一个或多个处理单元,处理器901可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器901中。在一些实施例中,处理器901和存储器902可以在同一芯片上实现,在一些实施例中,它们也可以在独立的芯片上分别实现。Among them, the processor 901 is the control center of the computer equipment, which can use various interfaces and lines to connect to various parts of the terminal equipment, and obtain customers by running or executing instructions stored in the memory 902 and calling data stored in the memory 902. End address. Optionally, the processor 901 may include one or more processing units, and the processor 901 may integrate an application processor and a modem processor. The application processor mainly processes the operating system, user interface, and application programs. The adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 901. In some embodiments, the processor 901 and the memory 902 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
处理器901可以是通用处理器,例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所 公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。The processor 901 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present application. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
存储器902作为一种非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器902可以包括至少一种类型的存储介质,例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random Access Memory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、可编程只读存储器(Programmable Read Only Memory,PROM)、只读存储器(Read Only Memory,ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性存储器、磁盘、光盘等等。存储器902是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本申请实施例中的存储器902还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。The memory 902, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The memory 902 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc. The memory 902 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 902 in the embodiment of the present application may also be a circuit or any other device capable of realizing a storage function for storing program instructions and/or data.
基于相同的技术构思,本申请实施例提供了一种计算机可读存储介质,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行反序列化漏洞的防护方法的步骤。Based on the same technical concept, the embodiments of the present application provide a computer-readable storage medium that stores a computer program executable by a computer device. When the program runs on the computer device, the computer device executes the reverse sequence. Steps of the method of protection against vulnerabilities.
基于相同的技术构思,本申请实施例提供了一种计算机程序产品,包括存储在计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机设备执行反序列化漏洞的防护方法的步骤。Based on the same technical concept, the embodiments of the present application provide a computer program product, including a calculation program stored on a computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, The computer device executes the steps of the deserialization vulnerability protection method.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。A person of ordinary skill in the art can understand that all or part of the steps in the above method embodiments can be implemented by a program instructing relevant hardware. The foregoing program can be stored in a computer readable storage medium. When the program is executed, it is executed. Including the steps of the foregoing method embodiment; and the foregoing storage medium includes: removable storage devices, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks, etc. A medium that can store program codes.
或者,本申请上述集成的单元如果以软件功能模块的形式实现并作为独 立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the above-mentioned integrated unit of this application is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application can be embodied in the form of a software product in essence or a part that contributes to the prior art. The computer software product is stored in a storage medium and includes several instructions for A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application. The aforementioned storage media include: removable storage devices, ROM, RAM, magnetic disks or optical disks and other media that can store program codes.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (15)

  1. 一种反序列化漏洞的防护方法,其特征在于,应用于WebLogic服务器中,所述方法包括:A method for protecting deserialization vulnerabilities, which is characterized in that it is applied to a WebLogic server, and the method includes:
    WebLogic服务器接收至少一个客户端发送的数据请求,确定所述数据请求中是否包括T3/T3S协议数据;The WebLogic server receives a data request sent by at least one client, and determines whether the data request includes T3/T3S protocol data;
    若所述WebLogic服务器确定所述数据请求中包括T3/T3S协议数据,则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址;If the WebLogic server determines that the data request includes T3/T3S protocol data, it determines whether the client's IP address is a trusted IP address according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist;
    若所述WebLogic服务器确定所述客户端的网际协议IP地址为受信任IP地址,则处理所述T3/T3S协议数据,使请求被正常流程处理。If the WebLogic server determines that the Internet Protocol IP address of the client is a trusted IP address, it processes the T3/T3S protocol data so that the request is processed by the normal process.
  2. 根据权利要求1所述的方法,其特征在于,所述WebLogic服务器根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址,包括:The method according to claim 1, wherein the WebLogic server determines whether the client's IP address is a trusted IP address according to the client's Internet Protocol IP address and a pre-configured IP address whitelist, comprising:
    所述WebLogic服务器执行MuxableSocketT3类时,获取所述WebLogic服务器的启动参数,所述启动参数中包括所述IP地址白名单;When the WebLogic server executes the MuxableSocketT3 class, acquiring startup parameters of the WebLogic server, where the startup parameters include the IP address whitelist;
    若所述WebLogic服务器确定所述客户端的IP与所述IP地址白名单匹配,则确定所述客户端的IP地址为受信任IP地址。If the WebLogic server determines that the client's IP matches the IP address whitelist, it determines that the client's IP address is a trusted IP address.
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method of claim 2, wherein the method further comprises:
    若所述WebLogic服务器确定所述客户端的IP与所述IP地址白名单不匹配,则拒绝与所述客户端连接,并将所述数据请求作为攻击事件进行记录。If the WebLogic server determines that the client's IP does not match the IP address whitelist, it refuses to connect with the client, and records the data request as an attack event.
  4. 根据权利要求1所述的方法,其特征在于,所述WebLogic服务器接收至少一个客户端发送的数据请求,包括:The method according to claim 1, wherein the WebLogic server receiving a data request sent by at least one client comprises:
    所述WebLogic服务器通过代理服务器接收互联网客户端发送的数据请求以及所述WebLogic服务器接收同一局域网的客户端发送的数据请求。The WebLogic server receives the data request sent by the Internet client through the proxy server and the WebLogic server receives the data request sent by the client of the same local area network.
  5. 根据权利要求2所述的方法,其特征在于,所述WebLogic服务器接收至少一个客户端发送的数据请求前,还包括:The method according to claim 2, wherein before the WebLogic server receives a data request sent by at least one client, the method further comprises:
    所述WebLogic服务器确定MuxableSocketT3类的位置;所述WebLogic服务器在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。The WebLogic server determines the location of the MuxableSocketT3 class; the WebLogic server adds the steps of a deserialization vulnerability protection method in the MuxableSocketT3 class.
  6. 根据权利要求5所述的方法,其特征在于,所述WebLogic服务器确定MuxableSocketT3类的位置,包括:The method of claim 5, wherein the WebLogic server determining the location of the MuxableSocketT3 class comprises:
    所述WebLogic服务器根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。The WebLogic server determines the location of the MuxableSocketT3 class according to whether the MuxableSocketT3 class exists alone.
  7. 一种反序列化漏洞的防护装置,其特征在于,所述装置包括:A protection device for deserialization loopholes, characterized in that the device includes:
    T3/T3S协议数据确定单元,用于接收至少一个客户端发送的数据请求,确定所述数据请求中是否包括T3/T3S协议数据;The T3/T3S protocol data determining unit is configured to receive a data request sent by at least one client, and determine whether the data request includes T3/T3S protocol data;
    判断单元,用于若确定所述数据请求中包括T3/T3S协议数据,则根据所述客户端的网际协议IP地址以及预先配置的IP地址白名单确定所述客户端的IP地址是否为受信任IP地址;A judging unit, configured to determine whether the client's IP address is a trusted IP address according to the Internet Protocol IP address of the client and a pre-configured IP address whitelist if it is determined that the data request includes T3/T3S protocol data ;
    T3/T3S协议数据处理单元,用于若确定所述客户端的网际协议IP地址为受信任IP地址,则处理所述T3/T3S协议数据,使请求被正常流程处理。The T3/T3S protocol data processing unit is configured to process the T3/T3S protocol data if it is determined that the Internet Protocol IP address of the client is a trusted IP address, so that the request is processed by a normal process.
  8. 根据权利要求7所述的装置,其特征在于,所述判断单元具体用于:The device according to claim 7, wherein the judgment unit is specifically configured to:
    执行MuxableSocketT3类时,获取所述WebLogic服务器的启动参数,所述启动参数中包括所述IP地址白名单;When the MuxableSocketT3 class is executed, the startup parameters of the WebLogic server are acquired, and the startup parameters include the IP address whitelist;
    若确定所述客户端的IP与所述IP地址白名单匹配,则确定所述客户端的IP地址为受信任IP地址。If it is determined that the IP of the client matches the white list of IP addresses, it is determined that the IP address of the client is a trusted IP address.
  9. 根据权利要求8所述的装置,其特征在于,所述T3/T3S协议数据处理单元还用于:The device according to claim 8, wherein the T3/T3S protocol data processing unit is further configured to:
    若确定所述客户端的IP与所述IP地址白名单不匹配,则拒绝与所述客户端连接,并将所述数据请求作为攻击事件进行记录。If it is determined that the IP of the client does not match the white list of IP addresses, the connection with the client is rejected, and the data request is recorded as an attack event.
  10. 根据权利要求7所述的装置,其特征在于,所述T3/T3S协议数据确 定单元具体用于:The device according to claim 7, wherein the T3/T3S protocol data determining unit is specifically configured to:
    通过代理服务器接收互联网客户端发送的数据请求以及接收同一局域网的客户端发送的数据请求。The proxy server receives data requests sent by Internet clients and data requests sent by clients on the same local area network.
  11. 根据权利要求8所述的装置,其特征在于,所述装置还包括配置单元,所述配置单元用于:确定MuxableSocketT3类的位置,在所述MuxableSocketT3类中增加反序列化漏洞的防护方法的步骤。The device according to claim 8, characterized in that the device further comprises a configuration unit, the configuration unit is used to: determine the position of the MuxableSocketT3 class, and add a deserialization vulnerability protection method to the MuxableSocketT3 class .
  12. 根据权利要求11所述的装置,其特征在于,所述配置单元具体用于:The device according to claim 11, wherein the configuration unit is specifically configured to:
    根据所述MuxableSocketT3类是否单独存在确定MuxableSocketT3类的位置。The location of the MuxableSocketT3 class is determined according to whether the MuxableSocketT3 class exists alone.
  13. 一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现权利要求1至6任一项所述方法的步骤。A computer device, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the processor executes the computer program when the computer program is executed. The steps of the method.
  14. 一种计算机可读存储介质,其特征在于,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得计算机执行如权利要求1至6中任一项所述的方法。A computer-readable storage medium, characterized in that it stores a computer program that can be executed by a computer device, and when the program runs on the computer device, the computer executes the computer program described in any one of claims 1 to 6 method.
  15. 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求1至6中任一项所述方法。A computer program product, characterized in that the computer program product includes a calculation program stored on a computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer Perform the method of any one of claims 1 to 6.
PCT/CN2020/083363 2019-05-24 2020-04-03 Method and device for protection from deserialization vulnerability WO2020238414A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910438428.7 2019-05-24
CN201910438428.7A CN110166459B (en) 2019-05-24 2019-05-24 Protection method, device and equipment for deserialization loophole and readable storage medium

Publications (1)

Publication Number Publication Date
WO2020238414A1 true WO2020238414A1 (en) 2020-12-03

Family

ID=67632544

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/083363 WO2020238414A1 (en) 2019-05-24 2020-04-03 Method and device for protection from deserialization vulnerability

Country Status (2)

Country Link
CN (1) CN110166459B (en)
WO (1) WO2020238414A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116628694A (en) * 2023-07-25 2023-08-22 杭州海康威视数字技术股份有限公司 Anti-serialization 0day security risk defense method, device and equipment

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110166459B (en) * 2019-05-24 2022-12-27 深圳前海微众银行股份有限公司 Protection method, device and equipment for deserialization loophole and readable storage medium
CN111031067A (en) * 2019-12-24 2020-04-17 上海中信信息发展股份有限公司 Monitoring data transmission method and device of distributed system and electronic equipment
CN112035831A (en) * 2020-08-14 2020-12-04 深信服科技股份有限公司 Data processing method, device, server and storage medium
CN113760443A (en) * 2020-11-19 2021-12-07 北京沃东天骏信息技术有限公司 Data processing method, device, electronic equipment, system and storage medium
CN114070580B (en) * 2021-09-30 2024-05-07 奇安信科技集团股份有限公司 Anti-serialization attack detection method, device, electronic equipment, medium and program
CN114143192A (en) * 2021-12-03 2022-03-04 中国建设银行股份有限公司 Configuration method and device of Weblogic T3 filter

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150082424A1 (en) * 2013-09-19 2015-03-19 Jayant Shukla Active Web Content Whitelisting
CN108234453A (en) * 2017-12-12 2018-06-29 杭州安恒信息技术有限公司 A kind of web safety defense methods of rule-based Java
CN110166459A (en) * 2019-05-24 2019-08-23 深圳前海微众银行股份有限公司 A kind of means of defence and device of unserializing loophole

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102364921A (en) * 2011-11-21 2012-02-29 携程计算机技术(上海)有限公司 Realization method and equipment for enterprise service bus and corresponding platform
US10701097B2 (en) * 2011-12-20 2020-06-30 Micro Focus Llc Application security testing
CN103428186A (en) * 2012-05-24 2013-12-04 中国移动通信集团公司 Method and device for detecting phishing website
CN106993000A (en) * 2017-05-26 2017-07-28 山东浪潮商用系统有限公司 Solve method, Reverse Proxy and the system of unserializing leak

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150082424A1 (en) * 2013-09-19 2015-03-19 Jayant Shukla Active Web Content Whitelisting
CN108234453A (en) * 2017-12-12 2018-06-29 杭州安恒信息技术有限公司 A kind of web safety defense methods of rule-based Java
CN110166459A (en) * 2019-05-24 2019-08-23 深圳前海微众银行股份有限公司 A kind of means of defence and device of unserializing loophole

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OLIVER: "Bug solutions for Weblogic2628 requiring the use ofof T3 protocol", WEBLOGIC2628, 5 June 2018 (2018-06-05), Retrieved from the Internet <URL:https://www.cnblogs.eom/oliver-yt/p/9140068.html> *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116628694A (en) * 2023-07-25 2023-08-22 杭州海康威视数字技术股份有限公司 Anti-serialization 0day security risk defense method, device and equipment
CN116628694B (en) * 2023-07-25 2023-11-21 杭州海康威视数字技术股份有限公司 Anti-serialization 0day security risk defense method, device and equipment

Also Published As

Publication number Publication date
CN110166459B (en) 2022-12-27
CN110166459A (en) 2019-08-23

Similar Documents

Publication Publication Date Title
WO2020238414A1 (en) Method and device for protection from deserialization vulnerability
US11327898B2 (en) Systems and methods for centrally managed host and network firewall services
US11218445B2 (en) System and method for implementing a web application firewall as a customized service
US8713665B2 (en) Systems, methods, and media for firewall control via remote system information
US20170111368A1 (en) Systems and methods for true privilege application elevation
US11831420B2 (en) Network application firewall
US8799441B2 (en) Remote computer management when a proxy server is present at the site of a managed computer
US6584508B1 (en) Advanced data guard having independently wrapped components
US8875272B2 (en) Firewall for controlling connections between a client machine and a network
US9160614B2 (en) Remote computer management using network communications protocol that enables communication through a firewall and/or gateway
US7343599B2 (en) Network-based patching machine
US20010044904A1 (en) Secure remote kernel communication
US20100186089A1 (en) Method and system for protecting cross-domain interaction of a web application on an unmodified browser
US20060129808A1 (en) Method and system for distributing security policies
US7827547B1 (en) Use of a dynamically loaded library to update remote computer management capability
US20100131616A1 (en) DMZ Framework
WO2020259390A1 (en) Method and apparatus for detecting deserialization vulnerability
US8713640B2 (en) System and method for logical separation of a server by using client virtualization
EP4248345A1 (en) Snap-in secret server support
US20080320581A1 (en) Systems, methods, and media for firewall control via process interrogation
US11729176B2 (en) Monitoring and preventing outbound network connections in runtime applications
US12028207B1 (en) System and method for dynamically aggregating multiple firewall security configurations in a decentralized network
US8504665B1 (en) Management of a device connected to a remote computer using the remote computer to effect management actions
WO2017117080A1 (en) Systems and methods for true privilege application elevation
CN117932595A (en) Authority control method, authority control device, terminal equipment and computer readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20814506

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20814506

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18/03/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20814506

Country of ref document: EP

Kind code of ref document: A1